Priscilla, you may have a good point. Perhaps Mike your missing the command "sysopt connection permit-ipsec" this is what allows IPSEC to bypass the ASA via crypto maps. without it you must explicitly allow IPSEC and Isakmp in on your access-lists. It may explain why your phase one negotiation seems to succeed but gets no farther... and then re-transmits. Just a guess.
C ----- Original Message ----- From: "Priscilla Oppenheimer" To: Sent: Thursday, August 01, 2002 11:59 PM Subject: RE: VPN not connecting [7:50144] > [EMAIL PROTECTED] wrote: > > > > I've been working on trying to eliminate the variables on each > > side of the > > VPN.... The unfortunate thing is, the other side is home, so I > > usually wait > > until the late evening/night to work on the remote side.... > > That's also the > > reason for the "frustrating" comment earlier. I know I could > > SSH into it, > > but, this isn't the only project I've been working on (as I'm > > sure a lot of > > you can relate)... So I'm going to hopefully wrap it up by > > this weekend. > > No problem, but do let us know what you learn! :-) Thanks. A few more > comments below... > > > > One of the main issues I was running into was the remote > > network was > > subnetted from the main network so the ACLs got a little > > confusing. > > I was thinking that ACLs might be related to the problem. On the crypto ACL > that defines interesting packets that must be protected by IPSec, you have > to get addresses and any protocols, ports, etc., just right. It doesn't help > that PIX doesn't do the mask the same as IOS. While troubleshooting, you > might want to make this access list pretty general purpose using big blocks > of addresses and not worrying about ports. > > Now, don't confuse this with general-purpose access lists. This crypto > access list is just for defining traffic that must be protected. > > > So I've > > changed the IP scheme on the remote side... This also brings > > me to another > > question; a rather newbie one, what other ports should be > > open(beside 500)? > > I received an email from someone saying 50 & 51, does that > > sound right? If > > That's a different issue from the crypto access list, but also very > important, (although from what you were saying about your symptoms earlier, > I don't think that's the problem.) But it's possible for IPSec to fail > because general-purpose access lists are denying the UDP port used by > ISAKMP, which is 500. > > In addition, you should make sure that IP protocol types 50 and 51 are > allowed. These are used by IPSec's Encapsulating Security Payload and > Authentication Header, respectively. They aren't UDP or TCP port numbers; > they are IP protocol numbers. > > I also read this confusing warning in the VPN book I'm reading. It could be > relevant: > > By default, all IPSec traffic is disallowed through the PIX Firewall. A NAT > and conduit/access list must exist for IPSec traffic to flow through the > firewall, as in any other traffic flow. However, if a crypto map is assigned > to an interface, IPSec traffic for that map is allowed to bypass the > adaptive security algorithm. > > So, you're probably OK, there, but maybe not. Why DO they make these things > so complicated? :-) Keep us posted. Thank-you! > > Priscilla > > > you have the, "allow any out and return in", settings for > > firewall rules... > > Do the ports still need to be opened (I would think not since > > there is the > > nat0 command?)? The other issue I'm looking into is the MTU > > size.... > > > > Once I establish the tunnel and maintain connectivity I'll let > > y'all know > > what I find.... > > > > Thanx for the help, > > mkj > > > > -----Original Message----- > > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 01, 2002 2:54 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > > > Lidiya White wrote: > > > > > > Capture debugs on both ends at the same time. Should be more > > > helpful. > > > Make sure both ends have "isakmp identify address"... > > > > > > -- Lidiya White > > > > Sounds like a good idea. So Mike, what was the problem? It sure > > would help > > those of learning IPSec to hear how you resolved the issue. > > Thanks. > > > > Priscilla > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > > > Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Tuesday, July 30, 2002 4:05 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: VPN not connecting [7:50144] > > > > > > The ACLs are mirrors of each other and the transform sets > > > match.... > > > Very > > > frustrating.... > > > > > > -----Original Message----- > > > From: Silju Pillai [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, July 30, 2002 2:29 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: VPN not connecting [7:50144] > > > > > > > > > Hi, > > > > > > Pls check the interesting traffic configured > > > (access list) configured at both ends. Your transform set > > > parameters > > > too. It > > > should be same. > > > > > > As you are receiving IKMP_no_error your isakmp policies are > > > working > > > fine. > > > > > > regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50488&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
